Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ezviz Open Multimodal Analysis
v1.0.1萤石多模态理解技能。通过设备抓图 + 智能体分析接口,实现对摄像头画面的 AI 理解分析。 Use when: 需要对监控画面进行智能分析、场景识别、行为理解、物体检测等多模态 AI 分析任务。 ⚠️ 安全要求:必须设置 EZVIZ_APP_KEY 和 EZVIZ_APP_SECRET 环境变量,使用最小权限凭证。
⭐ 1· 267·0 current·0 all-time
byEzvizOpenTeam@ezviz-open
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match the actual behavior: the code obtains an Ezviz access token, captures images from devices, and calls Ezviz AI agent analysis. The declared required env vars (EZVIZ_APP_KEY, EZVIZ_APP_SECRET, EZVIZ_DEVICE_SERIAL, EZVIZ_AGENT_ID) are appropriate for this purpose and no unrelated service credentials or binaries are requested.
Instruction Scope
SKILL.md and the scripts clearly describe and implement the intended workflow (token -> capture -> agent analysis). The instructions and code read OpenClaw config files as a fallback (~/.openclaw/*.json) and use environment variables as priority. They do not attempt to collect unrelated system data or send data to unexpected external endpoints (uses openai.ys7.com and aidialoggw.ys7.com as documented).
Install Mechanism
This is instruction + source files (no install spec). Declared dependency is lightweight (pip: requests). No downloads from arbitrary URLs or execution of code from unknown hosts are present in the install metadata.
Credentials
Requested environment variables are proportionate to the stated function. Caveat: the skill will fall back to reading OpenClaw channel config files for credentials if env vars are absent — the code only extracts channels.ezviz but the fallback behavior increases the attack surface if those files contain other secrets or are shared across skills. The SKILL.md explicitly recommends using minimal-permission AppKey/AppSecret.
Persistence & Privilege
The skill does not request elevated platform privileges and is not always-enabled. It writes a global token cache in the system temp directory (/tmp/ezviz_global_token_cache/global_token_cache.json) with 0600 permissions by default — this enables token reuse but means an access token is persisted on disk (shared across local processes/users with access). The skill does not modify other skills' configs.
Assessment
This skill appears to do what it says: call Ezviz APIs to capture images and send them to an Ezviz AI agent. Before installing: (1) create and use dedicated Ezviz AppKey/AppSecret with minimal permissions (don't reuse a master account); (2) if you prefer not to persist tokens on disk, set EZVIZ_TOKEN_CACHE=0 to disable caching; (3) ensure your ~/.openclaw/* config files do not contain unrelated secrets or shared credentials, because the skill may read channels.ezviz from those files as a fallback; (4) review the included scripts if you have additional concerns — endpoints used match the official docs provided in the package.Like a lobster shell, security has layers — review code before you run it.
latestvk978sa3452py2yh6sh8btnerhh835tkr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
EnvEZVIZ_APP_KEY, EZVIZ_APP_SECRET, EZVIZ_DEVICE_SERIAL, EZVIZ_AGENT_ID
Primary envEZVIZ_APP_KEY